A report released by the Senate Commerce Committee on March 25 suggests that the Target Corp. failed to take adequate steps to prevent hackers from gaining access to its computer network and stealing the financial and personal information of as many as 110 million customers.
The report details how Target possibly failed to take advantage of several opportunities to prevent the massive data breach in 2013. This included allowing attackers to take advantage of weak security at a Target vendor, missing warnings from its anti-intrusion software that attackers were installing malware in its network, and allowing the attackers to take advantage of weak controls within Target’s network and successfully maneuver into the network’s most sensitive areas.
“I think we can all agree that if Target – or any other company – is going to collect detailed information about its customers, they need to do everything possible to protect it from identity thieves,” said Sen. John J. Rockefeller (D-WV), chairman of the Senate Committee on Commerce, Science, and Transportation, at a hearing the next day. “It is now well known that Target fell far short of doing this.”
The chairman also highlighted legislation he recently introduced, the Data Security and Breach Notification Act (S. 1976), that would – for the first time – establish strong, federal consumer data security and breach notification standards.
At the same hearing, Federal Trade Commission (FTC) Chairwoman Edith Ramirez called on Congress to enact legislation that would give the agency a central role in crafting data protection and breach reporting standards. She said companies are continuing to underinvest in data security, so legislation is needed that would grant the FTC civil penalty authority, Administrative Procedure Act rule making authority, and jurisdiction over non-profits organizations.
Earlier in the week, the FTC confirmed that it is investigating the massive data security breach at Target Corp.